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Abstract. Discrete abstractions of continuous and hybrid systems have recently been the topic of great 
interest from both the control systems and the computer science communities, because they provide a sound 
mathematical framework for analysing and controlling embedded systems. In this paper we give a further 
contribution to this research line, by addressing the problem of symbolic control design of nonlinear systems 
with infinite states specifications, modelled by differential equations. We first derive the symbolic controller 
solving the control design problem, given in terms of discrete abstractions of the plant and the specification 
systems. We then present an algorithm which integrates the construction of the discrete abstractions with the 
design of the symbolic controller. Space and time complexity analysis of the proposed algorithm is performed 
and a comparison with traditional approaches currently available in the literature for symbolic control design, 
is discussed. Some examples are included, which show the interest and applicability of our results. 



1. Introduction 

Discrete abstractions of continuous and hybrid systems have been the topic of intensive study in the last twenty 
years from both the control systems and the computer science communities |EFP06j . While physical world 
processes are often described by differential equations, digital controllers and software and hardware at the 
implementation layer, are usually modelled through discrete/symbolic processes. This mathematical models 
heterogeneity has posed during the years interesting and challenging theoretical problems that are needed to 
be addressed, in order to ensure the formal correctness of control algorithms. One approach to deal with 
this heterogeneity is to construct symbolic models that are equivalent to the continuous process, so that the 
mathematical model of the process, of the controller, and of the software and hardware at the implementation 
layer, are of the same nature. Several classes of dynamical and control systems admitting symbolic models, 
were identified during the years. We recall timed automata [AD94J, rectangular hybrid automata |HKPV98] , 
and o-minimal hybrid systems |LPSOO) in the class of hybrid automata. Control systems were considered 
further. Early resuhs in this regard are reported in the work of |CW98j . |MRO02| . |FJL02j and |BMP02) . 
Recent results include the work of |TP06| , which showed existence of symbolic models for controllable discrete- 
time linear systems, and the work of |HCS06( IBH06) for piecewise-affine and multi-affine systems. Many of 
the aforementioned work are based on the notion of bisimulation equivalence, introduced by Milner and Park 
pri89, Par8l] in the context of concurrent processes, as a formal equivalence notion to relate continuous and 
hybrid processes to purely discrete/symbolic models. A new insight in the construction of symbolic models 
has been recently placed through the notion of approximate bisimulation introduced by Girard and Pappas in 
[GP07) . Based on the above notion, some classes of incrementally stabl e |Ang02j control systems were recently 
shown to admit symbolic models: discrete-time linear control systems |Gir07j . nonlinear control systems with 
and without disturbances |PGT081 IPT09] , nonlinear time-delay systems |PPDT10] and switched nonlinear 
systems [GPTIO] . Recent results in the work of [Z PTIO] have also shown the existence of symbolic models for 
unstable nonlinear control systems, satisfying the so-called incremental forward completeness property. 
The use of symbolic models in the control design of continuous and hybrid systems has been investigated in 
the work of |TP06| IYB091 ITab08| . among many others. The work in |TP06| considers discrete-time linear 
control systems, the work in jYB09| considers piecewise-affine systems while the work in [TabQ8| considers 
stabilizable nonlinear control systems. In this paper we give a further contribution to this research line and in 
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particular, in the direction of |Tab08] . We consider symbolic control design of nonlinear control systems where 
specifications are characterized by an infinite number of states and modelled through differential equations: 
Given a plant nonlinear control system and a specification nonlinear (autonomous) system, we investigate 
conditions for the existence of a symbolic controller that implements the behaviour of the specification, with 
a precision that can be rendered as small as desired. In other words, we look for a symbolic controller so 
that the interconnection between the plant and the controller satisfies or conforms |CGP99| the specification 
with an arbitrarily small precision. The symbolic controller is furthermore requested to be non-blocking in 
order to prevent the occurrence of deadlocks in the interaction between the plant and the symbolic controller. 
This control design problem can be seen as an approximated version of similarity games, as discussed in 
|Tab09j . Similar proble ms have been studied in the literature (in a non-approximating settings) in the context 
of supervisory control |CL99j . symbolic control design for piecewise-affine systems enforcing temporal logic 
specifications |YB09| . among many others. 

The control design problem that we consider in this paper has been solved by following the so-called correct- 
by-design approach, see e.g. |TP06l [TabOSl rYB09| . We first construct the symbolic models of the plant and 
the specification by making use of (some variations of) the results established in (PGTOSj . We then solve 
the control design problem at the symbolic layer, to finally come back at the continuous layer, by providing 
appropriate approximating bounds in the quantization errors which guarantee the solution to the control 
design problem under study. The solution of the control design problem at the symbolic layer is shown to be 
the maximal non-blocking part of the (exact) parallel composition |CL99| of the symbolic models associated 
with the plant and the specification. By following the correct-by-design approach, the design of the symbolic 
controller solving the problem at hand, requires a first computation of the plant and the specification symbolic 
models, then a construction of the (exact) parallel composition of the symbolic systems obtained and finally a 
computation of the maximal non-blocking part of the composed system. While being formally correct from the 
theoretical point of view, this approach is in general rather demanding from the computational point of view, 
because of the large size of the symbolic models needed to be constructed, in order to synthesize the symbolic 
controller solving the design problem. This drawback is common with other approaches currently available in 
the literature on symbolic control design of continuous and hybrid systems, see e.g. |TP06i IYB09[ lTab08| and 
motivated some researchers to propose solutions to cope with complexity. For example, the work in |TiI09] 
proposes nonuniform state quantizations in the construction of the symbolic models of the to-be-controlled 
plant system. In this paper wc propose an alternative solution to the one studied in |TiI09) . Inspired by 
on-the-fly verification and control of timed or untimed transition systems (see e.g. [CVWY921 ITA99j ) . we 
approach the design of symbolic controllers by advocating an "integration" philosophy: instead of computing 
separately the symbolic models of the plant and of the specification to then design the controller at the symbolic 
layer, we integrate each step of the procedure in only one algorithm. Space and time complexity analysis of 
the proposed algorithm is performed and a comparison with traditional approaches currently available in the 
literature, is discussed. Some examples are included which show the interest and applicability of our results. 
For the sake of completeness, a detailed list of the employed notation is included in the Appendix (Section l8|. 



2. Preliminary Definitions 



2.1. Control Systems. The class of control systems that we consider in this paper is formalized in the 
following definition. 

Definition 2.1. A control system is a quintuple: 

(2.1) ^ = {X,Xo,U,UJ), 

where: 

• X C M" is the state space; 

• Xq C X is the set of initial states; 

• [/ C M™ is the input space; 
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• U is a subset of the set of all locally essentially bounded functions of time from intervals of the form 
]a, b[C RtoU with a < 0, 6 > 0; 

• / : M" X U R" is a continuous map satisfying the following Lipschitz assumption: for every compact 
set K C M", there exists a constant k E M+ such that 

\\f{x,u)-f{y,u)\\<4x-y\\, 

for all x,y E K and all u E U. 
A curve ^ :]a, M" is said to be a trajectory of E if there exists u ElA satisfying: 

(2.2) i{t)^f{mMt)), 

for almost all t E]a, h[. Although we have defined trajectories over open domains, we shall refer to trajectories 
^ :[0, r] — > M" defined on closed domains [0, t], r e IR+ with the understanding of the existence of a trajectory 
5' :]a,6[— > E" such that ^ — C'|[o,r]- We also write £,xu{t) to denote the point reached at time r under the 
input u from initial condition x\ this point is uniquely determined, since the assumptions on / ensure existence 
and uniqueness of trajectories |Son98) . A control system S is said to be forward complete if every trajectory 
is defined on an interval of the form ]a,cx)[. Sufficient and necessary conditions for a system to be forward 
complete can be found in |AS99| . The above formulation of control systems can be also used to model 
autonomous nonlinear systems, i.e. systems with no control inputs. With a slight abuse of notation we denote 
an autonomous system E by means of the tuple (AT, Xq, /). 

2.2. Systems. We will use systems to describe both control systems as well as their symbolic models. For a 
detailed exposition of the notion of systems and of their properties we refer to [Tab09j . 

Definition 2.2. [Tab09| A system S is a sextuple: 

5=(A,Ao,[/, ^ ,Y,H), 

consisting of: 

• a set of states X; 

• a set of initial states Xo C X; 

• a set of inputs U; 

• a transition relation «- C X x U x X; 

• an output set Y; 

• an output function H : X ^ Y. 

A transition {x,u,x') E ► of system S is denoted by x — ^ x' . System S is said to be: 

• countable^ if X and U are countable sets; 

• symbolic, if X and U are finite sets; 

• metric, if the output set Y is equipped with a metric d : Y x Y ^ Mj^; 

• deterministic, if for any x E X and u E U there exists at most one x' E X such that {x, u, x') E >■ ; 

• non-blocking, if for any x E X there exists (x, u, x') E ► ; 

• accessible, if for any x E X there exists a finite number of transitions 

Xo Xi . . . X 

starting from an initial state xq in Xq and ending up in x. 

We now introduce some notions which will be employed in the further developments. We start by introducing 
the notion of sub-system which formalizes the idea of extracting from the original system a subset of states, 
inputs and transitions. 
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Definition 2.3. Given two systems Si — (Xi, Xq.i, Ui, — j-^ , Yi,Hi) and 5*2 ~ (^2, -^^0,2, U2, — ^ , Y2, H2), 
system 5*1 is a sub-system of S2, denoted Si C S2, if Xi C X2, Xo,i C Xo,2, Ui Q U2, — C — ^ , 
Yi C Y2 and Hi{x) = H2{x) for any x G Xi. 

The following notion formalizes the idea of extracting the maximal non-blocking sub-system from a system, 
where maximality is given with respect to the notion of sub-system, which naturally induces a preorder on 
the class of systems. 

Definition 2.4. Given a system S = (X, Xq, C/, >■ , Y, H) the non-blocking part of 5 is a system Nb{S) 

so that: 

(i) Nh{S) is a non-blocking system; 

(ii) Nb{S) is a sub-system of S*; 

(iii) S" C 7V6(S'), for any non-blocking 5' C S*. 

We finally introduce the notion of accessible part |CL99) which formalizes the idea of extracting the maximal 
accessible sub-system from a system. 

Definition 2.5. Given a system S = {X,Xo,U, ,Y,H) the accessible part of 5" is a system Ac{S) so 

that: 

(i) Ac{S) is an accessible system; 

(ii) Ac{S) is a sub-system of S; 

(iii) S" E Ac{S), for any accessible S' C S'. 

In this paper we consider simulation and bisimulation relations |Mil89| IPar81| that are useful when analyzing 
or designing controllers for deterministic systems [Tab09j . Bisimulation relations are standard mechanisms to 
relate the properties of systems. Intuitively, a bisimulation relation between a pair of systems 5*1 and ^2 is a 
relation between the corresponding state sets explaining how a state trajectory si of Si can be transformed 
into a state trajectory S2 of ^2 and vice versa. While typical bisimulation relations require that si and S2 are 
observationally indistinguishable, that is iJi(si) = -ff2(s2), we shall relax this by requiring Hi{si) to simply 
be close to H2{s2) where closeness is measured with respect to the metric on the output set. A simulation 
relation is a one-sided version of a bisimulation relation. The following notions have been introduced in |GP07] 
and in a slightly different formulation in [ Tab08] . 

Definition 2.6. Let Si = {Xi,Xq^i,Ui, — ^-^ ,Yi,Hi) and S2 — {X2, Xq^2,U2, — ^ ,Y2iH2) be metric sys- 
tems with the same output sets Yi = Y2 and metric d, and consider a precision e G A relation 

7^ c Xi X X2, 

is said to be an e-approximate simulation relation from Si to 6*2, if the following conditions are satisfied: 

(i) for every xi G Xo,i, there exists X2 S ^0,2 with {xi,X2) S 7?,; 

(ii) for every {xi,X2) &TZwe have d{Hi{xi) , H2{x2)) < e; 

(iii) for every {xi, X2) G TZ we have that: 

xi — ^ x'l in iS*! implies the existence of X2 — ^ X2 in S2 satisfying {x'l, X2) E TZ. 

System 5*1 is e-approximately simulated by ^2 or 52 e-approximately simulates Si, denoted by Si 5*2, 
if there exists an e-approximate simulation relation from 5*1 to ^2. When e ~ 0, system Si is said to be 
0-simulated by 5*2 or S2 is said to 0-simulate ^i. 

By symmetrizing the notion of approximate simulation we obtain the notion of approximate bisimulation, 
which is reported hereafter. 
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Definition 2.7. Let Si = {Xi,Xo^i,Ui, ,Yi,Hi) and S2 = (^2,^0,2,^/2, ,^^2,^2) be metric sys- 

tems with the same output sets Yi = Y2 and metric d, and consider a precision e e Rq . A relation 

ncxix X2, 

is said to be an e-approximate bisimulation relation between 5*1 and S2, if the following conditions are satisfied: 

(i) TZ is an e-approximate simulation relation from Si to ^2; 

(ii) TZ~^ is an e-approximate simulation relation from ^2 to 5*1. 

System 6*1 is e-approximately bisimilar to 6*2, denoted by Si =e ^2, if there exists an e-approximate bisimu- 
lation relation TZ between 5*1 and 6*2. When e = 0, system 5*1 is said to be 0-bisimilar or exactly bisimilar to 
^2. 

We now introduce the notion of approximate composition of systems which is employed in the further devel- 
opments to formalize the interconnection between a nonlinear control system representing the plant, and a 
symbolic system representing the symbolic controller. 

Definition 2.8. |Tab08| Given two metric systems Si — {Xi,Xf) i, Ui, — ^-^ ,Yi,Hi) and S2 = {X2, Xq 2, U2, 
— ^ ,Y2,H2), with the same output sets Yi = Y2 and metric d and a precision e G M^j", the e-approximate 
composition of 5*1 and S2 is the system: 

^1 II, 52 := iX,Xo,U, ,Y,H), 

where: 

. X = {{xi,X2) eXixX2: d{Hi{xi),H2{x2)) < e}; 

• Xo = Xn(Xo,i xXo,2); 

• U = UixU2; 

• (a;i,a;2j *- \Xi,X2) n Xi Xi and X2 ^2'^ 

•Y^Yi- 

• H : Xi X X2 ^ Y \s given by H{xi,X2) ■— Hi{xi), for any {xi,X2) G X. 

The above notion of composition is asymmetric. This is because it models the interaction of systems Si and 
^2 which play different roles in the composition. As it will be clarified in the next section, we interpret system 
as the plant system, i.e. the to-be-controlled process, and system S2 as the controller. 

3. Problem Statement 

In this paper we address the problem of symbolic control design for nonlinear systems with infinite states 
specifications modelled by differential equations. In order to formally define the control design problem 
under consideration, we first need to provide a formal notion of symbolic controllers. Given a control system 
S = (X, Xq, U,U, f) and a sampling time parameter r G M"*", we associate the following system to S: 

(3.1) 5,(S) := {X,XoMr, ,Y,H), 

where: 

• I4r — {u E U\ the domain of u is [0, r]}; 

• X " ► x' if there exists a trajectory ^ : [0,t] X oi 1] satisfying £,xu{t) = x'; 

• Y^X- 

System 5t(S) is metric when we regard Y = X as being equipped with the metric d{p,q) = \\p — q\\. The 
above system can be thought of as the time discretization of the control system E. 
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U 



ZoH 



Control system 2: 
* X = f (x, u) 



SymboKc 
Controller C 



-> X 



A/D 



Figure 1. Approximate composition of the plant and specification systems. 



Definition 3.1. Given the control system E, a sampling time r e M+, a state quantization e 
input quantization /i G IR+, a symbolic controller for E is formalized by means of the system: 



and an 



wher^B 



• X, = [Xhe; 

• Uc — {u£ Ur\ the co-domain of u is [?7]2;i}; 

• CXcXUcX Xc; 

• Yc = Xc, 

We denote by C'^'^''^(E) the class of symbolic controllers with sampling time r, state quantization 9 and input 
quantization /it, associated with S. The ^-approximate composition between the time discretization S't-(E) of 
a control system S and a symbolic controller C G C'^'^'^(E) formalizes classical static state feedback control 
schemes with digital controllers, studied in the literature, see e.g. |FPW98) . as illustrated in Figure [l] The 
state signal ^xou{t) at time t £ IR+ is firstly sampled with sampling time r G then quantized through 
an Analog-to-Digital (A/D) converter with precision 9 G R"*" which associates to a state ^xou{t), the unique 
state X G Xc for whicli^^a;Q„(T) G B[g[{x); the obtained digital/symbohc signal is then plugged as input to the 
digital/symbolic controller C which outputs a symbolic signal taking values in [U]2fj.- Such symbolic signal 
is then plugged into a Zero order Holder (ZoH) with sampling time parameter r which outputs in turn, a 
piecewise-constant signal u that is finally plugged as digital/symbolic control input to the control system E. 

We are now ready to formally state the symbolic control design problem that we consider in this paper. 
Consider a plant nonlinear control system: 

(3.2) P = {Xp,Xpfi,Up,Up, fp), 

and a specification nonlinear autonomous system: 

Q ~ {Xq, Xq,o, gq). 

For the sake of homogeneity in the notation of the plant P and the specification Q we rephrase the above 
tuple by means of: 



(3.3) 



{Xq, Xqfi, Uq,Uq, fq). 



^ The sets [X]2e and [f/]2;ii are lattices embedded in the sets 
defined in the Appendix. 

^The set B\g\(x) is defined in the Appendix. 



and U , with precisions 9 and ^ respectively, as formally 
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where Uq — {uq} with Ug ~ 0, Uq = {uq} with = 0, the signal being the identicaUy nuh function, and 
fq{x, u) = gq{x) + u for any (x, u) £ Xq X Uq. 



Problem 3.2. Given a plant nonlinear control system P as in (3.2), a specification nonlinear autonomous 
system Q as in (3.3) and a desired precision e G M"*", find quantization parameters t,6, ^ e M"*" and a symbolic 
controller C S C^^'{P) such that: 

(i) {SAP) lie C) Sr{Q); 

(ii) Sr{P) We C is non-blocking. 



The above control design problem asks for a symbolic controller C that implements the behaviour of the 
specification Q, up to a precision e that can be chosen as small as desired. In other words, in Problem |3.2| we 
look for a symbolic controller C so that the approximate composition between the plant P and the controller C 
satisfies or conforms [CGP 99 the specification Q with an arbitrarily small precision. The symbolic controller 
is furthermore requested to be non-blocking in order to prevent occurrence of deadlocks in the interaction 
between the plant and the symbolic controller. This control design problem can be seen as an approximated 
version of similarity games, as discussed in [TabOQJ . Similar problems have been studied in the literature 
(in a non-approximating settings) in the context of supervisory control |CL99| . symbolic control design for 
piecewise-affine systems enforcing temporal logic specifications [YB09] , among many other work. 



4. Symbolic Control Design with Infinite States Specifications 



In this section we provide the solution to Problem 3.2 Inspired by the so-called correct-by design approach. 



see e.g. |TP06[ ITabOSi IYB09j . we first construct the symbolic systems associated with the plant P and the 
specification Q in Section [4A| we then solve the control design problem at the symbolic layer in Section [42] to 
finally come back at the continuous layer in Section [4.3| by providing the bounds in the approximation scheme 
that we propose, which guarantee the solution to Problem |3.2[ 



4.1. Prom the Continuous Layer to the Symbolic Layer. In this section we present some results based 
on the work of [PGT08J for constructing symbolic systems associated with the plant P and the specification 
Q. We start by recalling from |Ang02| , the notion of incremental input-to-state stability for nonlinear control 
systems. 

Definition 4.1. A control system S is incrementally input-to-state stable ((S-ISS) if it is forward complete 
and there exist a JCC function /3 and a /Coo function 7 such that for any t g Mj, any x, x' e M", and any u, 
u' E U the following condition is satisfied: 

(4.1) U.u{t) - WWII < /3 (Ik- - ^'W ,0+7(11"- ^^'lloo) • 

A characterization of the above incremental stability notion in terms of dissipation inequalities can be found 



in |Ang02| . Given a (5-ISS nonlinear control system E of the form (2.1), a sampling time t G M+, a state 



quantization rj € and an input quantization /i G consider the following system: 

(4.2) S-j-.Tj.fii.^) • (^r,?7,/^: ^0,T,r;,/i7 ^T,?7,/^5 r 7] ' ^^^^^M ' "^'''^^im) ' 

where: 

• Xo,T,ri,fj. = ^T,ri,ii n ATo; 

X y if ^xu{t) € B[^[{y) D X; 
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It is readily seen from the definition of Xt- .^^^ and Ur.ri.^i that system S't,,,,^(S) is countable and becomes 
symbolic when the state space X and the input space U are bounded sets. System ^^^^^^(I]) is basically 
equivalent to the symbolic model proposed in [PGTOSj . The main difference is that, while the symbolic model 
in jPGTOSj is not guaranteed to be deterministic, system S't-_^_^(S]) is so, as formally stated in the following 
result: 

Proposition 4.2. System Sr.r/.fii'^) *s deterministic. 

Proof. The existence and uniqueness of a trajectory from an initial condition x G Xr^n,f^ with input u G C/r,jj,/i 
guarantees that S,xu{t) is uniquely determined. Since the collection of sets {B[ji[{y) nX}y^Xr , is a partition 
of X, there exists at most one state y G -^r,?;,^ such that £,xu{t) G Ci X. □ 

We stress that determinism in the symbolic system S'T-,r;,/i(S) is an important property because algorithmic 
synthesis of symbolic systems simplifies when systems are deterministic |Tab09j . We can now give the following 
result that establishes sufficient conditions for the existence and construction of symbolic systems for nonlinear 
control systems. 



Theorem 4.3. Consider a 5-ISS nonlinear control system E = 
9 G M"*". For any sampling time t G state quantization rj G 

fying the following inequality: 

(4.3) /3(^,T) + 7(Ai)+77<^, 

systems Sr.rj.fj.iX') o-nd are 9 -approximately bisimilar. 



(X, Xo,U,U, f) and a desired precision 
1+ and input quantization /i G satis- 



Proof. The proof of the above result can be given along the lines of Theorem 5.1 in jPGT08| . We include it 
here for the sake of completeness. Consider the relation TZ C X x Xt,??,/^ defined by {x,y) G TZ ii and only if 
X G B[g[{y) n X. We start by showing that condition (i) of Definition 2.6 holds. Consider an initial condition 
xq G Xq. By definition of the set Xo^T,rj,fi there exists yo G XQ^r,ri,ii so that (a;o,2/o) G TZ. Condition (ii) in 



w in 5*7- (E). There exists U2 G Ur,ri,fji, 



Definition 2.6 is satisfied by the definition of TZ. Let us now show that condition (iii) in Definition 2.6 holds. 
Consider any (x, y) G 7Z. Consider any ui G lAr and the transition x — — ^ 
such that: 

||U2 - -"illoo < 

^i/u2 (''')• Since X = Uugx ^M^^) ^ there exists v G ^r,?),p such that: 

z G B[n[{v), 

— ^—*- V in Sr.7-i.fj,{^). Since E is (5-ISS, by the definition of TZ and by condition (4.4), the 



(4.4) 
Set z 
(4.5) 



and therefore y 
following chain of inequalities holds: 

\\w - z\\ < (3{\\x-y\\,T) +7(||ui - U2II 

which implies: 



3) </3(^,r)+7(M), 



(4.6) 



w e B 



|3[e.T)+1{^i) 



(z). 



By combining the inclusions in (4.5) and (4.6), it is readily seen that w G B[p(^Q ^r)+'y(p)+rj[{v) ■ By the inequality 
in (4.3), S[;3(e,r)+7(/^)+))[(''^) ^ 0[e[(u), which implies {w,v) G TZ and hence, condition (iii) in Definition 2.6 



holds. Thus, condition (i) in Definition 2.7 is satisfied. By using similar arguments it is possible to show 
condition (ii) of Definition 2.7 □ 



The above result is conceptually equivalent to Theorem 5.1 in |PGT08| . The main difference is that while 
Theorem 4.3 relates nonlinear systems to deterministic symbolic systems. Theorem 5.1 in jPGTOSj relates 
nonlinear systems to symbolic models which are in general nondeterministic. 

The above result is now employed to define symbolic systems for the plant and the specification. Consider 
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a plant system P as defined in (3.2) and a specification system Q as defined in (3.3 1. Suppose that P and 



Q are (5-ISS and choose a precision 9p G R"*" and a precision 9q G M"*", required in the construction of the 
symbolic systems for P and Q, respectively. Let /Sp and 7p be a JCC function and a /Coo function guaranteeing 
the 5-ISS stability property for P and (3q be a /C£ function guaranteeing the (5-ISS stability property for Q. 
Find quantization parameters r^rj, fi G such that: 

^p(Op,T) + jp{fj.) + r] < 
(4.7) /3,(f?g,T)+77< 



It is readily seen that parameters T,r],fj, & M"*" satisfying the above inequalities always exist. By Theorem 4.3 



ST,rj,tiiP) is 0p-approximately bisimilar to St{P) and S't, r;,o(Q) is 0g-approximately bisimilar to St-(Q)- For 
the sake of notational simplicity in the further developments we refer to the systems Sr,rj,niP) and Sr,Ti,oiQ), 
by means of Sp and Sq, respectively. 



4.2. Control Design at the Symbolic Layer. Problem 3.2 translates to the following problem at the 
symbolic layer: 

Problem 4.4. Given system Sp and system Sq, find a symbolic controller C € C'^'^'^{P) such that: 

(i) {Sp llo C) ^0 Sq; 

(ii) Sp \\q C is non-blocking. 

We start by introducing a technical lemma that will be used in the sequel. 

Lemma 4.5. Consider three metric systems Si — (Xi, XQ^i,Ui, — ,Y,Hi), i = 1,2,3. The following 
properties hold: 

(i) |(;Pn7j For all ei G , if Si S2 then Si S2, for all £3 > £1,' 

(ii) |GP07j For all £1,62 G K+, if Si S2 and S2 die2 S3, then Si ^ei+e2 S3; 
(in) For all e G , Si \\e S2 d^e 5*2. 



Proof of (Hi). Denote 5*1 S2 by the tuple {X,Xf), U, 



, Y, H) and define: 



n ^{{{xi,X2),x) G X X X2 : X2 = x}. 



We start by showing that condition (i) in Definition 2.6 holds. Consider any initial condition (a::o.i, 2;o,2) S X[ 



Since 2:0^2 G ^2, by choosing xo = 2:0,2 we have that ((a;o.i, 2:0,2), a^o) G TZ. We now show that also condition 
(ii) in Definit ion |2.6| holds. Consider any ((xi,X2),2;) G TZ. Since 2:2 — x, then H2{x2) — H2{x), hence 
by Definition 2.8 of approximate composition d{H{xi,X2),H2{x)) = d{Hi{xi), H2{x2)) < £■ We conclude 



(2:1, 2:2) " [Xi,X2) m Si 



by showing that condition (iii) in Definition 2.6 holds. Consider any ((2:1, 2:2), 2;) G TZ and any transition 

^2. Choose the transition x ► x' in ^2 so that x' = X2. By definition of 
the systems involved such transition exists. This implies that {{x'l, 2:3), a;') G TZ, which concludes the proof. □ 



We are now ready to provide the solution to Problem 4.4 Define: 
(4.8) C* ^Sp Wo Sq. 



Theorem 4.6. Nb{C*) solves Problem 4-4 



Proof. We start by proving condition (i) of Problem |4.4[ By Lemma 4.5 (iii), we obtain: 

(4.9) Sp llo Nb{C*) do Nb{C*)- 
By the definition of Nb{C*) it is readily seen that: 

(4.10) Nb{C*)dioC*. 
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By the definition of C* 
(4.11) 



Sp llo Sq and Lemma 4.5 (iii), one gets: 

C ^0 Sq. 



By combining conditions in (4.9), (4.10), (4.11) and by Lemma [4. 5| (ii) we obtain: 



Sp llo Nh{C*) ^0 Sq. 



Hence, condition (i) of Problem 4.4 is proved. We now prove condition (ii) of Problem 4.4 Consider any state 
{pi,P2,q) of Sp llo Nb{C*). Since Nb{C*) is non-blocking there exists a state (p^, g+) of Nb{C*) so that 

(p2,9) — — ^ {vt^l^) ^ transition of Nb{C*) for some input u = (^2,1*3). Since Nb{C*) is a sub-system of 
C* — Sp \\o Sq, then by choosing = and ui = M2, the transition pi — ^ is a transition of S'p. Since by 

construction = P2 then {pt ,P2 is a state of Sp \\o Nb{C*) and therefore {pi,p2,q) -5— ^ (Pi^,P2^, 9"'') 
is a transition of Sp \\o Nb{C*), which concludes the proof. □ 



We conclude this section by showing that the controller Nb{C*) is the maximal system solving Problem 4.4 
in the sense of the preorder naturally induced by the notion of 0-simulation relations. 

Theorem 4.7. For any system C solving Problem \4-.4\ 

{Sp llo C) ^0 {Sp llo Nb{C*)). 

Proof. Denote by Sp and Sp copies of Sp that are connected to C and Nb{C*), respectively; denote by Xpc 
and Xpc* the state spaces of Sp ||o C and Sp ||o Nb{C*) and by X^^ and X^^* the corresponding sets of initial 
states. Moreover let C* 

n 



Sp llo Sq, where Sp and Sq are the copies of Sp and Sq in the controller and define: 
{((Pi,c), {p2,P3,q)) e Xpc X Xpc* : {{pi,c),q) G 7^l A pi =^2}, 



where TZi is a 0-simulation relation from Sp 



tion 



2.6 



C to S*,. We start by showing that condition (i) in Dcfini- 
holds. Consider any initial condition (pj'jc") e X^c- Since {Sp \\q C) <q Sq there exists E Sq s.t. 



((rf,77,gO) G 7^l. By choosing pO =pO ^pO^ we have (p§,p§,g") G X^,. and hence, ((p?, c"), (pO,pO, gO)) G 7^. 
We now show that also condition (ii) in Definition 2.6 holds. Since Hp{pi) = Hp{p2), we can conclude 



d{Hpc{pi,c), Hppq{p2,P3,q)) = d{Hp{pi) , Hp{p2)) — 0. We conclude by showing that condition (iii) in Defini- 



tion 



2.6 



holds. Consider any {{pi,c),{p2,P3,q)) G TZ and any transition (pi,c) — ''' (p^,c+) in Sp 



C. 



Since ((pi,c),q) G Tlx, there exists a transition q g+ in Sq so that ((p^,c+),q+) G Tlx. Hence 

Hpc{pX ,c^) = Hp{p\) ~ Hq{q'^) and q^ = p^ . Now, since pi = P2 = P3 = q, we consider the transitions 



P2 



P2 in Sp , Pa — ^ P3 in Sp and g >- 17+ in Sq with pj = pj = p^ 



Notice that such transitions 



exist. Hence (pJ,p+,(7+) is a state of Sp ||o Nb{C*) and the transition (p2,P3,9) 
Si llo Nb{C*), which implies ((p+, c+), (p+,p+, q+)) G U. 



(tip, tip, u) 



(P2 >P3 '9 ) is in 
□ 



This result is important because it shows that the controller Nb{C*) implements the maximal non-blocking 
behaviour of the specification symbolic system 5"^, which can be implemented by the plant symbolic system 

Sr). 



4.3. Prom the Symbolic Layer to the Continuous Layer. We now have all the ingredients to present 
one of the main results of this paper which shows that there exists an appropriate choice of quantization 



parameters so that the symbolic controller Nb{C*) with C* defined in (4.8) solves Problem 3.2 



Theorem 4.8. Consider the plant system P as in 1(3.^ , the specification system Q as in (3.3) and a precision 



e G 



(4.12) 



Suppose that P and Q are S-ISS and choose parameters 9p,0q G M"*" so that 



< e. 
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Furthermore choose parameters r, G satisfying the inequalities in (^.?). Then the symbolic controller 
Nb{C*) e C'^'^'^^[P) with 9 = 6p and C* defined in (4-8) with Sp = Sr,ri,ti{P) o^nd Sq — Sr,ri,QiQ), solves 
ProblemWM 



4.5 



(iii), one gets: 



Proof. We start by proving condition (i) of Problem |3. 2 [ By Lemma 4.5 (iii), we obtain: 

(4.13) S^P) We, Nb{C*) ^e, Nb{C*). 
By the definition of Nb{C*) it is readily seen that: 

(4.14) Nb{C*)^oC*. 
By the definition of C* = S'p ||o -S'g and Lemma 
(4.15) 

Since 5*^ is ^^-approximately bisimilar to St-{Q) then: 

(4.16) 5, ^e, SriQ). 

By combining conditions in (4.131, (4.14), ( |4.15 1, (4.16) and by Lemma 4.5 (ii) we obtain: 

S^P) We, Nb{C*) <g^+e, SAQ). 
(i), condition (i) of Problem 



C* ^0 Sq. 



Since by (4.12), 9p + 9q < e, by Lemma 



(ii) of Problem 



3.2 



4.5 



3.2 



is proved. We now prove condition 
Consider any state {pi,p2, q) of St{P) We, Nb{C*). Since Nb{C*) is non-blocking there 

exists a state {P2i<l^) of Nb{C*) so that {p2,q) — — ^ ipt^Q^) is a transition of Nb{C*) for some input 

u — (^2,^3). Since Sr{P) and Sp are 0p-approximately bisimilar, for the transition p2 — ^ P2 in Sp there 

exists a transition pi — in Sr{P) so that d{Hp{p^), Hp{p2)) < 9p. This implies that {p^,P2tQ^) is a 

state of 5x(P) We, Nb{C*) and therefore that {pi,p2,q) ipt,Pt,1'^) is a transition of S'^(P) We, Nb{C*), 

which concludes the proof. □ 



5. Integrated Symbolic Control Design 



The construction of the symbolic controller Nb{Sp 
procedure illustrated in Algorithm [l] 



Sq) solving Problem 3.2 rehes upon the basic-steps 



1 Construct system Sp, 0p-approximately bisimilar to S't-(P); 

2 Construct system Sq, Sq-approximately bisimilar to S^-iQ)', 

3 Construct the composition Sp Wo Sq] 

4 Compute the non-blocking part Nb{Sp Wo Sq) of Sp Wo Sq. 



Algorithm 1: Construction oi Nb{Sp Wo Sq). 

The procedure in Algorithm [l] is common with other approaches currently available in the literature for sym- 
bolic control design of continuous and hybrid systems, see e.g. |TP06, .YB09, .Tab08, . Software implementation 
of Algorithm [1] requires that: 

• State space Xp and set of input values Up of P are bounded; 

• State space Xq of Q is bounded. 

The above assumptions, while being reasonable in many realistic engineering control problems, are also needed 
to store the transitions of systems Sp and Sq in a computer machine, whose memory resources are limited 
by their nature. In this section, we suppose that the plant P and the specification Q satisfy the above 
assumptions. The procedure illustrated in Algorithm [T] is not efhcient from the space and time complexity 
point of vie-wj^ because: 



''This qualitative claim will be substantiated in terms of complexity analysis in the next section. 
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• It considers the whole state spaces of the plant P and the specification Q. A more efficient algorithm 
would consider only the intersection of the accessible parts of P and Q. 

• For any source state x and target state y it includes all transitions {x,u,y) with any control input u 
by which state x reaches state y. A more efficient algorithm would consider for any source state x and 
target state y only one control input u and hence, only one transition. 

• It first construct the symbolic models Sp and Sq, then the composed system Sp ||o Sq to finally 
eliminate blocking states from Sp ||o Sq. A more efficient algorithm would eliminate blocking states 
as soon as they show up. 

Inspired from the research line in the context of on-the-fly verification and control of timed or untimed 
transition systems (see e.g. IC VWY921 ITA99] ) . we now present an algorithm which integrates each step of the 
four sub-algorithms in Algorithm^in only one algorithm. 

The proposed procedure is composed of Algorithm [2] and Algorithm |3] Algorithm [2] is the main one while 
Algorithm jS] introduces Function NonBlock, which is recursively used in Algorithm [2j The outcome of 
Algorithm [2j is the symbolic controller C** which will be shown in the further results to solve Problem |3.2| 
Given a set T C X x [/ x Y, the set 'KgourceiT) C X denotes the projection of T onto X, i.e. 

Xsource{T) ^ {x e X : 3y £ Y A 3u £ U s.t. {x, u, y) e T}. 

Given a vector x £ K" and a precision 77 g K+, the symbol [x\2r^ denotes the unique vector in [M"]2r; such that 
X G S[^[([a:]2j,). Algorithm [2] proceeds as follows. The set of states Xq of C** is initialized to be [-'^p.o H Xq^o]2?) 
in line 2.8 and the set of states to be processed, denoted by Xforget, is initialized to the set of initial states in 
line 2.9. The set T of transitions and the set Bad of blocking states of C** are initialized to be the empty-sets 
(lines 2.10, 2.11). At each basic step. Algorithm [2] processes a (non processed) state in fine 2.13, by computing 
the state y = [£,x{T)\2r^ (line 2.14). If the state y is non-blocking (line 2.15), the algorithm looks for a control 
input u £ [U]2fj. such that the plant P meets the specification Q, i.e. z = y (line 2.20). If such a control 
input u exists, then boolean variable Flag is updated to 1 (line 2.21), the transition {x,u,y) is added to the 
set of transitions T (fine 2.25), and the state y is added to the set of the to-be-processed states (line 2.26). 
If either state y is blocking or no inputs are found for the plant P to meet the specification Q, then state 
X is declared blocking, and Function NonBlock(T, x, Bad) in Algorithm [s] is invoked (line 2.30), in order to 
remove all blocking states originating from x. Algorithm [2] proceeds with further basic steps, until there are 
no more states to be processed. When Algorithm [2] terminates, it returns in line 2.34 the symbolic controller 
C** . Function NonBlock(T, x, -Bad) extracts the non-blocking part of T. The set Badx includes the states 
to be processed and is initialized to contain the only state x (line 3.3). At each basic step, for any y e Badx, 
Function NonBlock removes from the set T any transition {z,u,y) ending up in y (line 3.7), it adds z to 
the set Badx of states to be processed (line 3.8) and adds y to the set Bad of blocking states (lines 3.11, 
3.12). Function NonBlock terminates when there are no more states to be processed and returns in line 2.14 
the updated sets of transitions T of and blocking states Bad. Termination of Algorithm [2] is discussed in the 
following result: 

Theorem 5.1. Algorithm^ terminates in a finite number of steps. 

Proof. Algorithm |2] terminates when there are no more states x in K-target to be processed. For each state x, 
either line 2.25 or line 2.30 is executed (depending on the value of the boolean variable Flag); this ensures 
by line 2.13 that state x cannot be processed again in future iterations. Furthermore, the set ^target is 
nondecreasing (see line 2.26) and always contained in the finite set [A^p]2r) H [Xq]2,j. Hence, provided that 
Algorithm [3] terminates in finite time, the result follows. Regarding termination of Algorithm [3j in the worst 
case the set Bad ends up in coinciding with the accessible states of Sp and Sq (line 3.12) and the set Badx 
ends up in being empty (line 3.11). Hence from line 3.4, finite termination of Algorithm [s] is guaranteed. □ 

Formal correctness of Algorithm [2] is guaranteed by the following result. 
Theorem 5.2. Controllers Nb{C*) and C** are exactly bisimilar. 
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1 Input: 

2 Plant: P 

3 Specification: Q 

4 Precision: e € M"*"; 

5 Parameters: 9p,9q E M 

6 Parameters: t^tj, fi e K 

7 Init: 



, Up , ^ fp) : 
{Xq ,Xq^Q,Uq,Uq,fq)] 



satisfying (4.12 1; 



satisfying (4.7) 



^target 



10 T := 0; 

11 iJad := 0; 

12 foreach x E [Xp n Xq]2jj do 
if 2; e X(ar3et\(Xso«rce(7') U Bad) then 

compute = K2(r)]2,,; 
if y ^ Bad then 
F^ag := 0; 
while i^Zag = do 
choose u E [C/p]2^; 
compute z = [CL(^)]2^; 
if z = y then 
Flag := 1; 
end 
end 

if Flag = 1 then 

T:=TU{ix,u,y)}; 



13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 



arget 



:= X. 



target 



u{2/}; 



end 
end 

if Flag = V y G Bad then 
I (T,Bad) :=NonBlock(T,a;,Sad); 
end 



end 



33 end 

34 output: 



C* 



Algorithm 2: Integrated Symbolic Control Design. 



Proof. (Sketch.) For any state {xp,Xq) of the accessible part Ac{Nb{C*)) of Nh{C*) there exists a state Xc of 
C** so that Xp — Xq = Xc (see lines 2.14, 2.19, 2.20 and 2.25 in Algorithm[2|. Consider the relation defined by 
{{Xp, Xq), Xc) ElZ 'ii and only if Xp — Xc- It is readily seen that 7?. is a 0-bisiniulation relation between Nb{C*) 
andC**. ^ □ 



By the above result the controller Nb{C*) solves Problem 3.2 if and only if the controller C** solves Problem 
3.2 Hence, it shows that Algorithm [2] is correct. While the controllers Nb{C*) and C** are exactly bisimilar, 
the number of states of C** is in general, smaller than the one of Nb{C*). In fact the controller Nb{C*) may 
contain spurious states, e.g. states which are not accessible from a quantized initial condition in Sp and a 
quantized initial condition in Sq, since in general Ac{Nb{C*)) is a (strict) sub-system of Nb{C*). On the 
other hand, a straightforward inspection of Algorithm [2] reveals that: 
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1 Function {T,Bad) :=NonBlock(T, x, Bad); 

2 Init: 

3 Badx :— {x}; 

4 foreach y e Badx do 

5 foreach z G 'Ksource{T) do 

6 if Bii G [C/]2/i such that {z,u,y) G T then 

7 T:=T\{(z,u,y)}; 

8 Badx :— Badx U {z}; 

9 end 

10 end 

11 Badx := Badx\{y}; 

12 Bad ;= Bad U {y}; 

13 end 

14 output: {T,Bad) 



Algorithm 3: Non-blocking Algorithm. 
Proposition 5.3. Ac{C**) = C** . 

Hence, the aforementioned spurious states of Nb{C*) are not included in C** . The above remarks suggest the 
following result: 

Theorem 5.4. C** is the minimal Q-bisimilar system of Nb{C*) . 

Proof. The proof can be given by using standard arguments on bisimulation theory |CGP99| . Briefly, since 



by Proposition 5.3 Ac{C**) = C** and since the output function H-r_n,^ of C** is the natural inclusion from 
'KgourceiT) to X, the maximal 0-bisimulation relation TZ* between C** and itself is the identity relation, i.e. 
TZ* = {{xi,X2) G 'X-sourceiT) X 'KgourceiT) : x\ — X2\ . Sincc TV is the identity relation, the quotient of C** 



induced by 7?.*, coincides with C** . Finally, since by Theorem 5.2 systems C** and Nb{C*) are 0-bisimilar, 



the result follows. □ 
The above result is important because it shows that the controller C** is the system with the smallest number 



of states which is equivalent by bisimulation to the solution Nb{C*) of Problem 3.2 



6. Space and Time Complexity Analysis 

In this section we provide a formal comparison in terms of space and time complexity analysis, between the 
procedure illustrated in Algorithm [l] and Algorithm [2j 

Proposition 6.1. Space complexity of Algorithm^ is 0{maoi{card{[Xp]2ri) ■ card{[Up]2fj^),card{[Xq]2,j)})- 



Proof. Since by Proposition 4.2 system Sp is deterministic, the number of transitions of Sp amounts to 



card{[Xp]2ri) ■ card{[Up]2fj.) ■ For the same reason, the number of transitions of Sq is given by card{[Xq]2ri)- By 



definition of exact composition (see Definition 2.8 with e = 0), the number of transitions in Sp ||o Sq amounts 
in the worst case to {card{[Xp]2ri) H card{[Xq]2ri)) • card{[Up]2fj.)- By definition of the Nb operator, the number 
of transitions in Nb{C*) is less than or equal to the one of Sp ||o Sq. Hence, by comparing the above worst 
case bounds, the result follows. □ 

Proposition 6.2. Space complexity of Algorithm^ is 0{card{[Xp]2ri [Xq]2ri))- 
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Proof. By lines 2.14, 2.15, 2.20, and 2.25 in Algorithm[2] the triple (x, u, y) is added to the set T of transitions 
of C**, if (cc. It, y) is a transition of Sp and {x, y) is a transition of Sq. Hence, the result follows from determinism 
of systems Sp and Sq, which is guaranteed by Proposition |4.2[ □ 



By comparing Propositions |6 . 1 1 and |6 . 2[ it is readily seen that space complexity of Algorithm |2] is smaller than 
or equal to space complexity of Algorithm [T] In particular, when the plant system P and the specification 
system Q coincide, implying [Xp]2j) = [Xq]2ri and card{[Up]2fj.) = 1, the space complexity of the procedure in 
Algorithm [l] and of Algorithm [2] coincides, resulting in 0{card{[Xp]2rj)) = 0{card{[Xq]2ri))- This is indeed 
consistent with the integration philosophy that we advocated in Algorithm [2j Algorithm [2] becomes more 
and more efficient from the space complexity point of view as much as the behaviours of the plant and of 
the specification differ. When P and Q coincide there is no gain in terms of space complexity, in the use of 
Algorithm [2] We now proceed with a further step by providing a comparison in terms of time complexity 
analysis. 

Proposition 6.3. Time complexity of Algorithm^ is 0{card([Xq]2ri) ■ card{[Xp]2ri) ■ co,rd{[Up]2fj^))- 

Proof. The number of steps needed in the construction of Sp a nd Sq amounts to card{[Xp]2rj) ■ card{[Up]2fj,) and 



card{[Xq]2ri), respectively. Since as shown in Proposition 6.1 the number of transitions in Sp and Sq is given 
respectively by card{[Xp]2T^) ■ card{[Up]2fj.) and card([Xq]2jj), the number of steps needed in the construction of 
Sp llo Sq is given by card{[Xq]2T]) ■ card{[Xp]2ri) ■ card{[Up]2(i,) ■ Regarding the computation of the non-blocking 
part Nb{Sp ||o Sq), in the worst case for any state of Sp ||o Sq, i.e. for any state in [Xq n Xp]2r^, all transitions 
in Sp llo Sq are needed to be processed in order to find blocking states. Since the number of transitions 
in Sp llo Sq is card{[Xq Ci Xp]2rj) • card{[Up]2fj.) , the overall number of steps needed in the computation of 
Nb{Sp llo Sq) is given by card{[Xq n A^p]2i))^ • card{[Up]2p,)- By comparing the above worst case bounds, the 
result follows. □ 

Proposition 6.4. Time complexity of Algorithm^ is 

0{maii{card{[Xq n Xp]2r,) ■ card{[Up]2f_i),card{[Xq n Xp]2n)'^}). 



Proof. By exploring Algorithm [2j it is easy to see that the number of steps needed in the computation of C** 
is upper bounded by: 

(6.1) ^(A^2 + iV3), 

1=0 

where A^i — card{[Xp D Xq]2ri), N2 is an upper bound to the number of steps needed in the execution of 



lines 2.13/27 in Algorithm 
lines 2.28/30 in Algorithm 



term ^3 



and A^3 is an upper bound to the number of steps needed in the execution of 
Quantity in (6.1 1 can be rewritten as the sum of the term X)i=^o and the 

^ the first of which is upper bounded by card{[Xp H Xq]2jj) ■ card{[Up]2p) ■ Regarding the term 

12i'=o^3^ whenever Algorithm [2] executes line 2.30, i.e. {T,Bad) :=NonBlock(T, Bad), states x involved 
are different. Indeed suppose by contradiction that at step i state x is processed in line 2.30 and at step j state 
x' is processed in line 2.30 with i < j and a; = x' . When at step i Algorithm [3] is invoked, state x is added to 
the set Bad (see lines 3.3, 3.4 and 3.12). Since at the end of step i state x G Bad, in the further steps and 
in particular at step j, state x will be no longer processed (see line 2.13). Since x' — x, then at step j state 
x' cannot be processed in line 2.30. Hence a contradiction holds. Since any time Algorithm [3] is invoked it 
processes different states, the overall time complexity due to the term X^il^o -^3 ^® upper bounded by the time 
complexity needed in computing the non-blocking part of Sp ||o Sq which, from Proposition |6.3| amounts to 
card{[Xq H A"p]2,,)^ ■ ccLi'd(\Up\2f_i). By comparing the above worst case bounds, the result follows. □ 



By comparing Propositions 6.3 and 6.4 it is readily seen that time complexity of Algorithm [2] is smaller than 
or equal to time complexity of Algorithm [ij In particular, when the plant system P and the specification 
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system Q coincide, implying [^]2)) = [^i3]2i) a-nd card(\Up\2^i) — 1, the time complexity of the procedure in 
Algorithm [l] and of Algorithm [2] coincides, resulting in 0{card{[Xp]2ri)'^) = 0{card{[Xq\2riY). 

7. Examples 

In this section we present some examples of application of the results illustrated in the previous sections. 
In particular, we consider in Section |7.1| symbolic control design problem for a nonlinear control system and 
in Section |7.2| symbolic control design for linear control systems. The results shown hereafter are based on 
computations performed on an Intel Core 2 Duo T5500 1.66GHz laptop with 4 GB RAM. 

7.1. Nonlinear Control Systems. Consider the following plant nonlinear control system: 

{Xl = — 2xi + x| — M 
±2 = 2x1 - 7e^2 + 7 
±3 = -3x3 + f "^ 

and an infinite states specification, expressed by the following differential equation: 

{Xl = — 3Xl + Xg 
X2 — Xl — 5sinx2 
±3 = -xl - 4x3. 

We suppose for simplicity that the plant and the specification systems share the same state space, chosen as: 

= = [-l,l[x[-l,l[x[-l,l[, 

the same set of initial states, chosen as: 

xO = X°-[-l,0[x[-l,0[x[-l,0[, 

and that the plant input space is: 

u = [-1, 1]- 

By using the (5-ISS Lyapunov characterization in |Ang02| it is possible to show the plant system P is (5-ISS 
with functions: 

/3p(r,s) := \/2e"i-2i^r, 7(r) := Vl4.88r, r,seM{[. 
Analogously the specification system Q can be shown to be (S-ISS with function: 

/3,(r,s) := \/2e-''r, r,seM([. 

For a precision e = 0.2, we can choose the following quantization parameters for the plant and the specification 
systems: 

6ip = 0.13, 61, =0.07, ?y = l/30, t = 1, = 0.001. 
The above choice of quantization parameters guarantees that the inequalities in (4.7 1 and ( 4.12^ are fulfilled. 



By running Algorithm [2] the integrated symbolic controller C** has been designed. Given the large size of 
the controller obtained (3152 states) we do not report in the paper further details on it. Figures [2] shows the 
evolution of the plant system P when interconnected with the symbolic controller C** and the evolution of 
the specification system Q, with initial condition xq = (— 1,— 1,— 1 + 477). It is readily seen from the plots 
that for the initial condition xq the specification is fulfilled, up to the precision e = 0.2 chosen in this example. 

We conclude this section by discussing a comparison between the "integrated" approach formulated in Algo- 
rithm [2] and the "non-integrated" approach described in Algorithm [l] Experimental results associated with 
the computation of C** and of Nb{C*) are reported in Tables 1 and 2. In particular. Table 1 shows details in 
the computation of the controller Nb{C*) performed by running Algorithm [I] Table 2 reports a comparison 
between the computation of the controllers C** and Nb{C*). The computation time needed in the construc- 
tion of the controllers is expressed in seconds and the maximal memory occupation is given in terms of the 
maximal number of data needed in the construction of the controllers. In particular, the maximal memory 
occupation in the construction of Nb{C*) is expressed as the sum of the number of transitions of Sp, the 
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Figure 2. Trajectories of the controlled plant and the specification systems with initial 
condition (—1, —1, —1 + Arj). 





Sp 


Sq 


C* 


Nb{C*) 


States 


29791 


29791 


21894 


21894 


Transitions 


29820791 


29791 


1265217 


1265217 



Table 1. Details on the computation of Nb{C*). 





Nb{C*) 


C** 




Ratio 


States 


21894 


3152 




0.14 


Transitions 


1265217 


3152 


2.5 


• IQ-^ 


Max memory occupation 


93347397 


10400 


1.11 


■ 10-4 


Time 


147487 


11144 




0.08 



Table 2. Comparison in the computation of Nb{C*) and C** . 



number of transitions of Sq and the number of transitions of Sp \\ Sq, while the maximal memory occupation 
in the construction of C** is given as the sum of the number of transitions in C** and the number of states 
in Bad. For both controllers Nb{C*) and C** each transition is weighted as three data and each state as one 
datum. The experimental results shown in Table 2 can be summarized, as follows: 

• The number of states of C** is 14% times the number of states of Nb{C*); 

• The number of transitions of C** is 0.25% times the number of transitions of Nb{C*); 

• The maximal memory occupation of C** is 0.011% times the maximal memory occupation of Nb(C'*)] 

• The time needed in the computation of C** is 8% times the time of computation of Nb{C*). 

7.2. Linear Control Systems. In this section we consider eight examples randomly chosen in the class of 
linear systems, characterized by different properties regarding controllability and eigenvalues of dynamical 
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matrices. We consider controllable, versus noncontroUable plant systems (Examples no. 1, 2, 3, 4 vs. 5, 6, 
7, 8), plant dynamical matrices Ap with real, versus complex eigenvalues (Examples no. 3, 4, 5, 6, 7, 8 vs. 
1, 2), specification dynamical matrices Aq with real, versus complex eigenvalues (Examples no. 2, 3, 7 vs. 
1, 4, 5, 6, 8). Table 3 shows the experimental results. In particular lines 1.1, 1.2 and 1.3 show respectively, 
dynamical matrices Ap and Bp of the plant P and dynamical matrices Aq of the specification Q. For simplicity 
we consider in the eight examples the same state space of the plant and the specification, chosen as: 

Xp^Xq^ [-0.5, 0.5[x [-0.5, 0.5[, 

the same set of initial states of P and Q, chosen as: 

X^^X° = [-0.25, 0.25[x [-0.25, 0.25[, 

and the same input space, chosen as: 

C/=[-2,2]. 

The quantization parameters in the construction of the symbolic systems Sp and Sq are the same in all the 
examples and chosen as: 

£ = 0.1, r = 0.5, fi^Omi, r; = 0.01, 6*^ = 0.05, 6*5 = 0.05. 



It is readily seen that the above parameters satisfy the inequalities in (4.7) and (4.12). Experimental results 
associated with the computation of the controller Nb{C*) are reported in lines 2.1/2.10. In particular, line 
2.10 shows the time of computation needed in the construction of Nb{C*) and line 2.9 shows the maximal 
memory occupation in the construction of NhiC*). Experimental results associated with the computation of 
the controller C** are reported in lines 3.1/3.5. In particular line 3.5 shows the time of computation needed 
in the construction of C** and line 3.4 shows the maximal memory occupation in the construction of C** . 
Table 4 summarizes the results shown in Table 3: 

• Line 4.1: Gain in terms of number of states. The minimum gain of the integrated procedure 
versus the non-integrated procedure is obtained in Example # 5, resulting in 100% (meaning that 
in this example there is no gain in the integrated procedure) and, the maximum gain is obtained in 
Example # 7, resulting in 53%. 

• Line 4.2: Gain in terms of number of transitions. The minimum gain of the integrated procedure 
versus the non-integrated procedure is obtained in Example # 3, resulting in 5% and, the maximum 
gain is obtained in Example # 7, resulting in 2%. 

• Line 4.3: Gain in terms of maximal memory occupation. The minimum gain of the integrated 
procedure versus the non-integrated procedure is obtained in Examples # 2 and 4, resulting in 0.017% 
and, the maximum gain is obtained in Example # 8, resulting in 0.007%. 

• Line 4.4: Gain in terms of time of computation. The minimum gain of the integrated procedure 
versus the non-integrated procedure is obtained in Example ^ 3, resulting in 28% and, the maximum 
gain is obtained in Example # 7, resulting in 9%. 



8. Discussion 

In this paper we addressed the problem of symbolic control design of nonlinear systems with infinite states 
specifications, modelled by differential equations. After having provided an explicit solution to the symbolic 
control design problem, we presented Algorithm [2] which integrates the design of the symbolic controller with 
the construction of the symbolic systems of the plant and of the specification. Although the focus of the present 
paper is on infinite states specifications, it can be shown that the results here presented can be easily adapted 
to consider finite states specifications which include language specifications, formalized through automata 
theory |CL99| . This is important because, as shown in the work of |TP06i [TabOSl |BH06| . automata theory 
provides a novel class of specifications which were traditionally not addressed before, in the control design 
of continuous (nonlinear) systems. Future work will focus on more efficient techniques at the software layer 
which can further reduce space and time complexity in the implementation of Algorithm |2] Useful insights in 
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1. Data 

1.1 Ap 

1.2 Bp 

1.3 Aq 

2. Nb(C*) 

2.1 States of Sp 

2.2 Transitions of Sp 

2.3 States of Sq 

2.4 Transitions of Sq 

2.5 States of C* 

2.6 Transitions of C* 

2.7 States of Nb{C*) 

2.8 Transitions of Nh{C*) 

2.9 Max(Ar6(C*)) 

2.10 Time(iV&(C*)) 





2601 
2675069 

2601 

2601 
611 

8013 
403 

5719 
8057049 

7780 



2601 
2494785 

2601 

2601 
603 

7507 
521 

6753 
7514679 

7095 



2601 
2489327 

2601 

2601 
403 

4969 
343 

4331 
7490691 

4648 



Example # 1 Example # 2 Example # 3 Example # 4 



-0.9 
-0.6 

(11)' 
-0.8 -0.4 

0.4 -0.8 



2601 
2446901 
2601 
2601 
915 
11151 
499 
6505 
7381959 
4068 



3. C** 

3.1 States of C** 

3.2 Transitions of C** 

3.3 States in Bad 

3.4 Max(C**) 

3.5 Time(C**) 



239 
239 
490 
1207 
1300 



281 
281 
448 

1291 
1800 



199 
199 
530 
1127 
1300 



2. Nb(C*) 



277 
277 
452 
1283 
770 



Example # 5 Example # 6 Example # 7 Example # 8 




2.1 States of Sp 


2601 


2601 


2601 


2601 


2.2 Transitions of Sp 


3290367 


3721269 


3215397 


3721269 


2.3 States of Sq 


2601 


2601 


2601 


2601 


2.4 Transitions of Sq 


2601 


2601 


2601 


2601 


2.5 States of C* 


381 


325 


1377 


227 


2.6 Transitions of C* 


9467 


9233 


33453 


6451 


2.7 States of Nb{C*) 


99 


129 


153 


65 


2.8 Transitions of Nb{C*) 


2461 


3665 


3717 


1847 


2.9 Max(A^6(C*)) 


9907305 


11199309 


9754353 


11190963 


2.10 Time(iV6(C*)) 


6285 


7080 


4880 


9444 


3. C** 










3.1 States of C** 


99 


109 


81 


53 


3.2 Transitions of C** 


99 


109 


81 


53 


3.3 States in Bad 


630 


620 


648 


676 


3.4 Max(C**) 


927 


947 


891 


835 


3.5 Time(C**) 


920 


850 


430 


990 



Table 3. Details on the computation of Nh{C*) and C* 
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Example 




Example 


-U- o 


Example 


-U- Q 
W 


Example 


-U- A 

IF 4 


4.i btates^o j/btatGS(iVo(G )) 




u.oy 




U.o4 




A C O 




A C C 

U.OO 


4.Z iransitionst^o j/ iran&iiions(^ivO(^o )) 




U.U4 




U.U4 




U.Uo 




U.U4 


4.3 Max(C**)/Max(7V&(C*)) 


1.5 • 


10-4 


1.7- 


10-4 


1.5 • 


10-4 


1.7- 


10-4 


4.4 Time(C**)/Time(7V6(C*)) 




0.17 




0.25 




0.28 




0.19 




Example 


# 5 


Example 


# 6 


Example 


# 7 


Example 


# 8 


4.1 States(C**)/States(7V6(C*)) 




1.00 




0.84 




0.53 




0.81 


4.2 Transitions(C**)/Transitions(m(C*)) 




0.04 




0.03 




0.02 




0.03 


4.3 Max(C**)/Max(iV&(C*)) 


0.9 • 


10-4 


0.8 • 


10-4 


0.9- 


10-4 


0.7- 


10-4 


4.4 Time(C**)/Time(7V6(C*)) 




0.15 




0.12 




0.09 




0.10 



Table 4. Comparison between the computation of Nh{C*) and of C** . 



this direction can be found in the tool Pessoa |Pes09) which employes binary decision diagrams |Pac| as data 
structures to encode symbohc systems. 

Acknowledgement. The first author would like to thank Paulo Tabuada for having inspired the idea of inte- 
gration of control algorithms with the construction of the symbolic systems of the plant and the specification. 

Appendix: Notation 

The identity map on a set A is denoted by 1a- Given two sets A and i?, if A is a subset of B we denote 
by 1a : ^ ^ S or simply by i the natural inclusion map taking any a G A to ^ (a) ~ a ^ B. Given a 
function f : A ^ B the symbol f{A) denotes the image of A through /, i.e. f{A) := {b E B : 3a E 
A s.t. b ~ /(a)}; if C C ^ we denote by f\c the restriction of / to C, i.e. f\c{x) ■= f{x) for any 
X E C. Given a relation R C A x B, i?-^ denotes the inverse relation of R, i.e. i?-^ :— {{b,a) E B x 
A : {a,b) E A X B}. A relation R C A x B is a preorder if it is reflexive, transitive but not symmetric. 
The symbols N, Z, K, K"*" and denote the set of natural, integer, real, positive real, and nonnegative 
real numbers, respectively. Given a vector x E M", we denote by Xi the i-th element of x and by 
the infinity norm of a;, we recall that ||a;|| = niax{|xi|, |x2|, |a;„|}, where \xi\ denotes the absolute value 
of Xi. Given a measurable function / : M.'^ M", the (essential) supremum of / is denoted by ||/||oo; we 
recall that ||/||oo — (ess) sup {||/ (t) ||, i > 0}; / is essentially bounded if ||/||oo < oo. Given x E M" and 
e E the symbol Be{x) denotes the set {x E M" : < e} and the symbol S[j[(x) denotes the set 
[— £ + xi,xi + e[x [—e + X2, X2 + e[x ... x [— e + x„, Xn + s[. It is readily seen that if a; e B^iy) and y E B[g<^{z) 
then X E B[^^g[{z). For any A C M" and /i E M+, define [A]^ = {a E A \ ai ^ h^i^k^ EZ,i^ l,2,...,n}. The 
set [A]^ will be used as an approximation of the set A with precision fJ./2. For a given time t E 1R+, define 
Jt so that frit) = f{t), for any t E [0,r[, and /(t) = elsewhere; / is said to be locally essentially bounded 
if for any t E M+, fr is essentially bounded. A continuous function 7 : — >■ Rq , is said to belong to class 
JC if it is strictly increasing and 7(0) = 0; 7 is said to belong to class /Coo if 7 G /C and 7(r) — )• 00 as r ^ 00. 
A continuous function /? : M.^ x R^j" — )■ is said to belong to class /C£ if, for each fixed s, the map /3(r, s) 
belongs to class /Coo with respect to r and, for each fixed r, the map /3(r, s) is decreasing with respect to s 
and /3{r, s) — > as s — ?► 00. 
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